Unless something is drastically wrong, the sensor generally doesn't drop packets. Remember that RealSecure version 7.0 is roughly 10 times faster than RealSecure version 6.0, therefore, whereas v6 customers worried about packet loss, v7 customers generally don't.
By far the best way to monitor the situation is the event "SensorStatistics". If enabled in the policy, it will trigger every 15-minutes, and include a number of interesting numbers in the "event details" portion. One of the most important numbers counts the number of TCP "acknowledgements" for data that the sensor didn't see. (In other words, the machine's on either end saw the data, but the network sensor didn't). This will tell you when the sensor drops packets, as well as when packets are being dropped before they reach the sensor. A lot of customers have used this number to figure out that their switch's monitor port was dropping occasional packets. The sensor itself can tell you when it thinks it has dropped a packet with the "SensorError" events, but I think "SensorStatistics" is better. Note that you should never run an IDS under the condition where a certain percentage of packets is being dropped. An IDS is either dropping packets, or it isn't. Even a small number of dropped packets can lead to high numbers of false-positives and false-negatives. Part of the installation procedure is to make sure it is installed in such a way that it isn't dropping packets. In other words, the SensorStatistic value of "tcp.nodataacks" should be always zero. Robert Graham Chief Scientist, ISS --- "Johnson, Scott" <[EMAIL PROTECTED]> wrote: > How can I monitor the network sensor for bandwidth allocation and what > percentage of packets are being dropped? > > Scott Johnson, CISSP, GSEC > ERCOT Cyber Security > Office 512-248-3152 > Cell 512-917-9844 > ===== Robert Graham play[http://www.robertgraham.com] work[http://iss.net] "Security is mostly a superstition, it does not exist in nature" -- H. Keller __________________________________ Do you Yahoo!? Find out what made the Top Yahoo! Searches of 2003 http://search.yahoo.com/top2003 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
